About writing custom search commands

You can extend the Splunk Search Processing Language (SPL) by customizing the built-in commands, or by writing your own search commands for custom processing or calculations.

If you use Splunk Cloud, you do not have filesystem access to your Splunk deployment. If you want to create custom search commands, file a Support ticket.

The following table describes the protocols, formats, and SDKs that you can use to create custom search commands.

Supported protocols

Description

Supported executable formats

SDK

Custom Search Command protocol, Version 2

Use to create custom commands for a wide range of platforms and executable formats.

.bat, .cmd, .exe, .js, .pl, .py, .sh

Splunk SDK for Python

Custom Search Command protocol, Version 1

Use with the Splunk SDK for Python to create custom commands for Python.

Use with the Intersplunk.py SDK only to support existing custom commands.

.pl, .py

Splunk SDK for Python

Intersplunk.py

Custom search commands that use Version 2 of the Custom Search Command protocol can be implemented in a variety of programming languages. These custom commands can even be implemented as platform-specific binary files.

By contrast, custom search commands that use the Version 1 protocol can be implemented only in Python. Custom commands that use the Version 1 protocol can only run using the Python interpreter that is included with the Splunk software.

About the SDKs

Use the Splunk SDK for Python to create custom search commands. The Splunk SDK for Python includes several templates that you can use to build new custom search commands.

Intersplunk.py is an older SDK and should only be used to support existing custom search commands that were built using the Version 1 protocol. You should not use the Intersplunk.py SDK for new custom search commands.

About the protocols

Version 2 protocol

There are significant advantages to using the Version 2 of the Custom Search Command protocol.

With the Version 2 protocol, external programs process through an entire set of Splunk search results in one invocation. The external program is invoked once for the entire search, greatly reducing runtime overhead.

The Version 2 protocol requires fewer configuration attributes than the Version 1 protocol.

Comments

Thanks DUThibault, fixed :-)

Lstewart splunk, Splunker

May 3, 2018

"Custom Search Command protocol, can be implemented" should be "Custom Search Command protocol can be implemented"

DUThibault

May 3, 2018

Ww9rivers -
Thank you for your comment. Looking at this series of topics, I see that there are no links between them, so I added several links (in the See also sections at the bottom of the pages) between the topics.

About writing custom search commands

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »